For the purposes of kernel logging, why do I have three different, non-inclusive levels of logging amongst /var/log/messages, /var/log/syslog, and /var/log/kern.log?
Asked
Active
Viewed 2.1e+01k times
100
Knowledge Cube
- 14,681
- 15
- 80
- 151
A Student at a University
- 1,685
- 4
- 13
- 19
-
1Note that /var/log/messages is the syslog on non-Debian/non-Ubuntu systems such as RHEL or CentOS systems usually. – Thomas Ward Oct 03 '18 at 15:42
-
Note that `journalctl` is slowly replacing `syslog` as go to resource for monitoring system messages. – WinEunuuchs2Unix Oct 03 '18 at 17:53
-
what about syslog and syslog.1 ? what is the difference... – haytham-med haytham Jan 18 '20 at 22:18
-
@haytham-medhaytham you may find the "Log Rotation" section in this [link](https://help.ubuntu.com/community/LinuxLogFiles#Log_Rotation) helpful – wtj Jul 15 '22 at 13:13
2 Answers
78
Syslog is a standard logging facility. It collects messages of various programs and services including the kernel, and stores them, depending on setup, in a bunch of log files typically under /var/log. In some datacenter setups there are hundreds of devices each with its own log; syslog comes in handy here too. One just sets up a dedicated syslog server which collects all the individual device logs over the network. Syslog can also save logs to databases, and other clients.
According to my /etc/syslog.conf, default /var/log/kern.log captures only the kernel's messages of any loglevel; i.e. the output of dmesg.
/var/log/messages instead aims at storing valuable, non-debug and non-critical messages. This log should be considered the "general system activity" log.
/var/log/syslog in turn logs everything, except auth related messages.
Other insteresting standard logs managed by syslog are /var/log/auth.log, /var/log/mail.log.
2020 update
You may still stumble upon syslog; but the defaults have changed.
journald has replaced syslog, in quite a big portion of systems, including Ubuntu.
This is relevant because you won't be finding /var/log/messages that often anymore. journald doesn't write plaintext logs — it uses its own, compressed and partially authenticated format.
Search online for e.g. journalctl cheatsheet, or just study man 8 systemd-journald, man 1 journalctl yourself.
Syslog and journald are, to a degree, cross-compatible; you can transport logs between them in either direction. However, you won't get plaintext logs a-la /var/log/messages with journald; and you won't get structured (journalctl -o json-pretty) and authenticated logging with syslog.
ulidtko
- 5,613
- 1
- 35
- 49
-
1
-
9
-
2Note that entries in the kernel ring buffer (what dmesg reads) won't make it into any /var/log file by default if they were written by a user space process. You need to set `$KLogPermitNonKernelFacility on` in rsyslogd's config if you want to see those messages in `/var/log`. See my answer at http://askubuntu.com/a/490900/297973 for more details. – Vanessa Phipps Jul 02 '14 at 17:54
-
9also worth noting that ubuntu ([since natty](https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/794727)) no longer uses `/var/log/messages`, and stores everything on `/var/log/syslog` – jackbravo Jan 23 '15 at 17:29
-
2in Ubuntu 16.04 `/var/log/syslog` is indeed a clean superset of `/var/log/kern.log` with the caveat that one has to account for different rotation strategies. E.g. in my system (default config unchanged) today's and yesterday's messages are kept in a single file in `/var/log/kern.log` whereas most of yesterday's messages for `syslog` are in `/var/log/syslog.1`. – Marcus Junius Brutus Nov 12 '16 at 18:25
-
1
-
1On at least some systems `/var/log/messages` is where `dmesg` logs to FWIW... (Red Hat) – rogerdpack Dec 14 '21 at 18:57
14
- syslog contains all the messages except of type auth.
- messages contains only generic non-critical messages. The category is
info,noticeandwarn - For complete log look at
/var/log/syslogand/var/log/auth.log - AFAIK
/var/log/kern.logcontains kernel messages. - log files are just a convention spelled out in /etc/syslog.conf
- read
syslog(3)for more information
Check this page about differences between messages and syslog
it says /var/log/messages ⊂ /var/log/syslog
Manish Sinha
- 11,475
- 2
- 47
- 63
-
1
-
2@slm [Here is the archived version](http://wayback.archive.org/web/20101007163324/http://namakajiri.net/complog/the-difference-between-messages-and-syslog/). – ignis Aug 25 '13 at 11:30
-
4Duplicating the comment an ulidtko's answer: also worth noting that ubuntu ([since natty](https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/794727)) no longer uses `/var/log/messages`, and stores everything on `/var/log/syslog` – jackbravo Jan 23 '15 at 17:30